Recently a script called "slowloris" has gained attention. The basic concept of what slowloris does is not a new attack but given the recent attention I have seen a small increase in attacks against some of our Apache websites.

At the moment there does not appear to be any 100% defence against this.

The best solution we have determined (so far) is to increase MaxClients.

This of course does nothing more than increase the requirements for the attacker's computer and does not actually protect the server 100%.

One other report indicates that using a reverse proxy (such as Perlbal) in front of the Apache server can help prevent the attack.

Using mod_evasive to limit the number of connections from one host and use mod_security to deny requests that look like they were issued by slowloris seem to be the best defence so far.

Has anyone on ServerFault been experiencing attacks such as this? If so, what measures did you implement to defend/prevent it?

NOTE: This question is for Apache servers as it is my understanding that Windows IIS servers are not affected.

Just a heads up. "Out of the box", varnish doesn't cache pages if it received cookies. You need to do some custom configuration to get around this. Examples are available on their site and are easy to implement.
–
DavidJun 28 '09 at 0:57

Varnish is quite programmable, so you may be able to configure it to see what's happening and deal with it. However, I think that by putting a proxy in front of apache, your just moving the problem from the web server to the proxy. The problem is still there, just in a different place. Connections/ports will still be used up. I'd start with the iptables rule listed (or the the equivalent for your firewall) then look at a proxy.
–
DavidJun 28 '09 at 1:08

1

the issue with the sloworis attack is limited to apache's multi threading model (and several other webservers that use a similar model). Varnish should survive that.
–
CianJul 13 '09 at 18:44

There's a user patch you can try. It modifies the timeout based on the load the server is under, but considering its status, you might not want to use it on a production machine, without some serious testing. Take a look here.